Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-a9nq-eg1d-2fen
Vulnerability ID VCID-a9nq-eg1d-2fen
Aliases BIT-jupyter-base-notebook-2022-29238
BIT-jupyter-notebook-2022-29238
CVE-2022-29238
GHSA-v7vq-3x77-87vg
PYSEC-2022-212
Summary Jupyter Notebook is a web-based notebook environment for interactive computing. Prior to version 6.4.12, authenticated requests to the notebook server with `ContentsManager.allow_hidden = False` only prevented listing the contents of hidden directories, not accessing individual hidden files or files in hidden directories (i.e. hidden files were 'hidden' but not 'inaccessible'). This could lead to notebook configurations allowing authenticated access to files that may reasonably be expected to be disallowed. Because fully authenticated requests are required, this is of relatively low impact. But if a server's root directory contains sensitive files whose only protection from the server is being hidden (e.g. `~/.ssh` while serving $HOME), then any authenticated requests could access files if their names are guessable. Such contexts also necessarily have full access to the server and therefore execution permissions, which also generally grants access to all the same files. So this does not generally result in any privilege escalation or increase in information access, only an additional, unintended means by which the files could be accessed. Version 6.4.12 contains a patch for this issue. There are currently no known workarounds.
Status Published
Exploitability 0.5
Weighted Severity 6.2
Risk 3.1
Affected and Fixed Packages Package Details
Weaknesses (1)
CWE-425 Direct Request ('Forced Browsing')
System Score Found at
epss 0.00511 https://api.first.org/data/v1/epss?cve=CVE-2022-29238
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-v7vq-3x77-87vg
cvssv3.1 4.3 https://github.com/jupyter/notebook
generic_textual MODERATE https://github.com/jupyter/notebook
cvssv3.1 4.3 https://github.com/jupyter/notebook/security/advisories/GHSA-v7vq-3x77-87vg
cvssv3.1_qr MODERATE https://github.com/jupyter/notebook/security/advisories/GHSA-v7vq-3x77-87vg
generic_textual MODERATE https://github.com/jupyter/notebook/security/advisories/GHSA-v7vq-3x77-87vg
ssvc Track https://github.com/jupyter/notebook/security/advisories/GHSA-v7vq-3x77-87vg
cvssv3.1 4.3 https://github.com/pypa/advisory-database/tree/main/vulns/notebook/PYSEC-2022-212.yaml
generic_textual MODERATE https://github.com/pypa/advisory-database/tree/main/vulns/notebook/PYSEC-2022-212.yaml
cvssv3.1 4.3 https://nvd.nist.gov/vuln/detail/CVE-2022-29238
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2022-29238
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2022-29238
https://github.com/jupyter/notebook
https://github.com/jupyter/notebook/security/advisories/GHSA-v7vq-3x77-87vg
https://github.com/pypa/advisory-database/tree/main/vulns/notebook/PYSEC-2022-212.yaml
1013272 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1013272
CVE-2022-29238 https://nvd.nist.gov/vuln/detail/CVE-2022-29238
GHSA-v7vq-3x77-87vg https://github.com/advisories/GHSA-v7vq-3x77-87vg
USN-5585-1 https://usn.ubuntu.com/5585-1/
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N Found at https://github.com/jupyter/notebook
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N Found at https://github.com/jupyter/notebook/security/advisories/GHSA-v7vq-3x77-87vg
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:05:26Z/ Found at https://github.com/jupyter/notebook/security/advisories/GHSA-v7vq-3x77-87vg
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N Found at https://github.com/pypa/advisory-database/tree/main/vulns/notebook/PYSEC-2022-212.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2022-29238
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.66765
EPSS Score 0.00511
Published At May 30, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-05-30T20:30:22.973846+00:00 Pypa Importer Import https://github.com/pypa/advisory-database/blob/main/vulns/notebook/PYSEC-2022-212.yaml 38.6.0